Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      217

    • Posts

      2,540


  2. whoknows

    whoknows

    Full Member+


    • Points

      161

    • Posts

      1,100


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      149

    • Posts

      3,161


  4. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      123

    • Posts

      9,109


Popular Content

Showing content with the highest reputation since 10/22/2020 in all areas

  1. I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though
    11 points
  2. Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information. After some manual cleanup the result is the following, unpacked file attached. UnpackMe-unpacked.exe
    11 points
  3. No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it. Password is: There are 3 ways to solve it: Easy way (1/10) : open file in hex editor, check the strings and find solution there. Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters. "Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that. 1) Compare original KoiVM method handlers with DiamondVM method handlers: KoiVM: DiamondVM: As you can see, DiamondVM has 2 useless string arguments and "id" parameter has been moved from 2nd position to 1st. Side note - DiamondVM author tried to get rid of "id" parameter and use A_3.Length instead. However he/she failed miserably and "id" is still there.. Open OldRod file OldRod.Pipeline\Stages\VMMethodDetection\VMMethodDetectionStage.cs" and change method signatures + parameter count: //..around line 36.. /* private static readonly IList<string> Run1ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Void*[]", "System.Void*", }; */ private static readonly IList<string> Run1ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Void*[]", "System.Void*", }; // ...around line 158 ... switch (method.Signature.ParameterTypes.Count) { //case 3: case 5: if (HasParameterTypes(method, Run1ExpectedTypes)) info.RunMethod1 = method; break; //case 4: case 6: if (HasParameterTypes(method, Run2ExpectedTypes)) info.RunMethod2 = method; break; } Build your modified OldRod and run it with parameter "--koi-stream-name #VM " to work around other change in DiamondVM. Done! Devirtualized file attached. UnpackMe.exe_VM-cleaned.zip
    11 points
  4. Went for a keygen instead of a full devirtualization. I don't fancy devirtualizing VMProtect stacked on top of KoiVM, so I went with a fully dynamic analysis approach. Code is clear enough though if you are able to set the right breakpoints at the right places. Personally am not a fan of including anti-VM in challenges, it only makes it annoying rather than interesting, but maybe that's just me. Sample key: Approach: Keygen.cs
    10 points
  5. Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms) Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware. Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer) Embedded mini-admin panel to administrate the fake sites, allow them to disable links, blacklist keywords on site, redirect on affil, etc.. Okay cool, you might want to see some numbers now? The site with highest traffic is keygenninja with around 13k visits per day, and they infect/install roughly 10k per day. As mentioned in previous post the end user get a bunch of crap (trojan.miner, password stealer, serial numbers stealer, PUPs..) The exfiltrated passwords are sent to t4p.xyz, domain registered by alelolay[@]protonmail.com, who also own fews other domains (q1f.xyz, crypto-trad1ng.xyz , trading-solutions.xyz) That all, for the moment!
    10 points
  6. 35,425 downloads

    A collection of tutorials aimed particularly for newbie reverse engineers. 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configuration 10. Continued reversing techniques in VB, use of decompilers and a basic anti-anti-trick 11. Intermediate patching using Olly's "pane window" 12. Guiding a program by multiple patching. 13. The use of API's in software, avoiding doublechecking tricks 14. More difficult schemes and an introduction to inline patching 15. How to study behaviour in the code, continued inlining using a pointer 16. Reversing using resources 17. Insights and practice in basic (self)keygenning 18. Diversion code, encryption/decryption, selfmodifying code and polymorphism 19. Debugger detected and anti-anti-techniques 20. Packers and protectors : an introduction 21. Imports rebuilding 22. API Redirection 23. Stolen bytes 24. Patching at runtime using loaders from lena151 original 25. Continued patching at runtime & unpacking armadillo standard protection 26. Machine specific loaders, unpacking & debugging armadillo 27. tElock + advanced patching 28. Bypassing & killing server checks 29. Killing & inlining a more difficult server check 30. SFX, Run Trace & more advanced string searching 31. Delphi in Olly & DeDe 32. Author tricks, HIEW & approaches in inline patching 33. The FPU, integrity checks & loader versus patcher 34. Reversing techniques in packed software & a S&R loader for ASProtect 35. Inlining inside polymorphic code 36. Keygenning 37. In-depth unpacking & anti-anti-debugging a combination packer / protector 38. Unpacking continued & debugger detection by DLL's and TLS 39. Inlining a blowfish scheme in a packed & CRC protected dll + unpacking Asprotect SKE 2.2 40. Obfuscation and algorithm hiding
    8 points
  7. Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) String Encrypt Ezriz changed the resource encryption algorithm for strings, which messed up the old decryptor implementation. This problem is solved by dynamic emulation of the method, with obtaining LDC.I4 values for initializing the decrypt method, I will show an example of getting MethodDef by the Call dnlib operand Hide Methods Calls NEW! New reactor protection, taken half from open source fuser. The bottom line is that system methods are initialized from delegates. It sounds scary, let's try to figure it out)) Well, we won the new reactor, I hope you enjoyed this article, thanks for reading)) All The Credit Goes to Eshelon Mayskih
    8 points
  8. This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip
    7 points
  9. Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it. If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message. Result of this method internal static int check1(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += (int)(input[i] + 'P'); } return num; } must be 5214 Result of this method internal static int check2(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += i * (int)input[i] % 0x7FFFFFFF; } return num; } must be 40106
    7 points
  10. fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.
    7 points
  11. I just published my own write-ups on my GitHub, if anyone is interested https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2020
    7 points
  12. Here are some of my keygen/crack GFX's / templates i've made on photoshop + WinASM studio these days : (1) https://imgur.com/vS71RaO (2) https://imgur.com/3fWUf30 (3) https://imgur.com/5YfB8Xg (4) https://imgur.com/2Bt54Ne (5) https://imgur.com/fDC4FfK (6) https://imgur.com/p4TBQ4J (7) https://imgur.com/gNOgPnR (8) https://imgur.com/vkwSQ01 Please note that PERYFERiAH team is not a warez group. It is actually a vlogging team since i was making vlogs in high school in the past. And the people of the PERYFERiAH (PRF for short) were actually my high school friends (not "crackers/keygenners" as they were mentioned on the templates) and i have always made vlogs with them until March (haven't made vlogs from march because of the Covid19 pandemic and the high school was also closed after all). I've founded this team since 2018 and we have started to make vlogs in high school (not only there, but i've also made on different locations). But in this topic, i've just wanted to show you all my GFX skills and even Assembly language programming skills (i've included only these images because they have keygen algo's in them and i don't want to get a warn after posting), ever since September 2019 i was really interested in whole demoscene and warez-scene too, even ASM/Delphi programming. However, the keygen algo's used in these keygen projects were not made by me, but they were used only to make the keygens look real (that's why i've censored some serials on some of the pictures above), not to rip them, but BIG thanks to ev1l^4, TomaHawk, DigitalDreamer and s3rh47 for the keygen algo's , so please don't blame on me for that. Templates no.6 and 7 are only crack templates and haven't inserted any patch engine on them cuz i was just lazy (or it doesn't need to include them since they're only templates). :m Perhaps on graphical effects and music, I've used: x0man's aboutbox effect on six of these ( templates no. 1, 2, 3, 4, 6 and 8 ), and thanks to Xylitol for sharing it and to x0man for the effect. BASSMOD for the music ( used on temps 1, 4 and 8 ) , thanks to Xylitol for the ASM applet and Ufo-Pu55y for the lib. It was used only for non-interpolation playback for most chiptunes. uFMOD for the music used only on template no.7 (linear playback). Magic's V2m engine ( used on temps 2 , 3 , 5 and 6 ) , thanks to MagicH_2001 for the engine fudowarez's starfield effect (used only on template no.7) , thanks to him for it diablo2oo2's text scroller effect (used on temps 5 and 7), thanks to him for the applet MackT's image effect (used on template no.5), thanks to him for it If you guys want me to share the full ASM projects, let me know so i can remove the keygen algo's and post them through zip/rar files. Plus, some of the GFx's were inspired from tPORt's, and from other ones . :p And as i said earlier, i am just showing you my GFX and assembly programming skills only, and i don't want to release the full keygens nowhere cuz they are only templates. By the way , have a nice day , and if you guys are interested, pm me and i'll make GFX's for you tho .
    6 points
  13. This is a prime example of how combining obfuscators can only work in your favour if you actually use them properly. Spoiler alert: they are not used correctly in this unpackme Approach: TestCawkMod-cleaned.exe
    6 points
  14. A Complete Article - https://back.engineering/17/05/2021/ Download Link - https://githacks.org/vmp2 Author - https://githacks.org/_xeroxz
    6 points
  15. https://githacks.org/vmp2/vmdevirt vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html The goal has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45 If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...
    6 points
  16. 6 points
  17. it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it! so it's a DNG 3.9.6.2 Enterprise and almost none of options are true here is the password: approach: unpacked file attached. B.R Unpackme_cleaned.exe
    6 points
  18. Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub: https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM
    6 points
  19. Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case. EDIT:
    6 points
  20. So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only one file "setup_pass-123.exe" If we try to download some other random files from the keygens.pro collection, sometime we have variations. e.g: Any.video.converter.Ultimate.keygen-URET hxtps://keygens.pro/crack/733508/ who contain a 'readme.txt' but we still have our suspicious setup_pass-123.exe inside. antiviruses aren't really happy about the file when sent to virustotal, but hey, it's kind of normal it's a crack afterall. The file in question is identified massively as 'remcos' (avira, kaspersky, f-secure,..) remcos is a know trojan, and this time they have right. I've sent the file to my capev2 (like cuckoo sandbox but with python3) who also identified it as remcos, and even exactly version 2.7.0 Pro. The process tree: path-pass-123.exe 1204 powershell.exe 764 powershell -w 1 -e cwB0AGEAcgB0AC0A [REDACTED] mc.exe 588 mc.exe 2816 trading_bot.exe 2776 services.exe 484 C:\Windows\system32\services.exe lsass.exe 2992 C:\Windows\system32\lsass.exe mc.exe do a NtOpenMutant with mutex name 'Remcos_Mutex_Inj' fews deletefile() DeletedFile: C:\Users\PC\AppData\Local\Temp\g23cbt11.tv1.ps1 DeletedFile: C:\Users\PC\AppData\Local\Temp\rgmxlij1.zlj.psm1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5a4f0c9-7658-465a-89b7-50210e17552a DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aa1cabc1-b688-4c89-bf51-d9e59fc195d8 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33715418-423c-4ee6-9bfb-e19632c208c1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9fccf31-e642-45c3-b729-86cbf5ec234c DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99c3bc19-136a-483f-a231-8276ab84ee13 DeletedFile: C:\Users\PC\AppData\Roaming\Microsoft\mc.exe DeletedFile: C:\Users\PC\AppData\Local\Temp\webcam.png DeletedFile: C:\Users\PC\AppData\Local\Temp\screenshot.jpg DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\cookies.sqlite24628718 DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\formhistory.sqlite24628875 About the dropped files, it write a file 'logs.dat' into \AppData\Roaming\temp\, in my case: [2020/10/15 05:31:33 Offline Keylogger Started] [ Program Manager ] [Following text has been copied to clipboard:] h [End of clipboard text] { User has been idle for 400 minutes } And what's was the 'screenshot.png' he created and then deleted? this: one of my capev2 vm, the malware have a bit oversized the screenshot tought. The file sniff keystrokes, harvest/steal private information from browsers and messenger clients, take screenshots from pc and webcam if connected, and installs itself for autorun at startup, yep that not really what we where looking for. Alright... let's search for another site then.. We type "download crack" on google and we are now on keygenninja.com (former KeygenGuru) according to them. site is in second result in google main page, the authors of the sites play on search engine rankings, .. and are extremely well positioned (they pay Google for that) Let's try to download something, idk, maybe 'Panopticum IcePattern v1.2 for Adobe Photoshop' hxtps://keygenninja.com/serial/panopticum_icepattern_v1_2_for_adobe_photoshop.html We click the 'Download Keygen' button and get redirected on another site hxtps://cracknet.net/d/a95b2bff8a272ss9p.html Now we are on a page with 2 big 'download' buttons, the text indicate also that the archive password is 12345 When you click on the button the download is launched, but from another external site: hxtps://get.ziplink.xyz/ I've found also another site: serialms.com, this is just another 'showcase site'. All the cracks point to the same address (cracknet.net). they also have the same db as keygenninja.com Well, we have 3 files in the archive, one executable, and unless keygens.pro, this time we have the info files (nfo and diz file), apparently a release from team inferno (a cracking group who disbanded in 2006) The nfo says it was released in may 2020 and the files timestamp seem from 2020, is inferno back ? When extracting the executable from the archive, we got a suspicious 'rar sfx archive' icon, if we look for executable properties, windows will confirm it's a self-extracting archive. Meaning we can also rename the file to .rar and open it with winrar to see what's going on. btw that archive inside the archive [insert xzibit yo dawg meme here] is also password protected with '12345' According to virustotal only 10 on 70 engines detect it as hostile. Suspicious again huh? let's send this file to capev2 too. When sending a password protected sfx archive, you need to fill the option field with: 'arguments=-p 12345' in capev2, so it will be able to run it with the password. And.. here is the process tree.. yep a big one too, the sfx archive contain a sfx archive, who contain severals other sfx archives [insert again xzibit meme here] and execute everything, resulting a lot of new processes. Panopticum.IcePatter.exe 172 -p12345 cmd.exe 2696 C:\Windows\system32\cmd.exe /c ""C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen.bat" " intro.exe 816 intro.exe 1O5ZF keygen-step-1.exe 3916 keygen-step-1.exe keygen-pr.exe 3892 keygen-pr.exe -p83fsase3Ge key.exe 1280 keygen-step-3.exe 3524 keygen-step-3.exe cmd.exe 3804 cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" PING.EXE 2572 ping 1.1.1.1 -n 1 -w 3000 keygen-step-4.exe 2624 keygen-step-4.exe file.exe 3896 002.exe 4548 Setup.exe 4152 slic.exe 4148 1 984D0A19445AA8C5.exe 1552 0011 installp1 984D0A19445AA8C5.exe 1144 200 installp1 cmd.exe 3280 cmd.exe /c taskkill /f /im chrome.exe msiexec.exe 2880 msiexec.exe /i "C:\Users\PC\AppData\Local\Temp\gdiview.msi" services.exe 472 C:\Windows\system32\services.exe svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch dllhost.exe 3832 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} dllhost.exe 2064 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} svchost.exe 3224 C:\Windows\system32\svchost.exe -k netsvcs VSSVC.exe 3648 C:\Windows\system32\vssvc.exe One file lead to many files So what's going on? well, a lot of things. This isn't remcos RAT like in keygens.pro, i don't know what exactly is all of this, my capev2 seem to detect it as Azorult (a know password stealer) I thinks it's a false positive for 'azorult' malware familly but this one is also harvesting credentials from browsers, bitcoin wallets clients, FTP clients, email clients... BTRSetp.exe seem packed with 'Eshelon revolution protector', it have also a mention to lenin. // Module  [module: SuppressIldasm] [module: Glory_to_the_Great_Lenin_and_the_October_Revolution!!!("Eshelon Revolution Protector ")] [module: EF58C16E8C("Discord Link : v1.0.0-custom")] The batch file keygen.bat unpack keygen-step-4.exe with password 83fsase3Ge This archive contain key.exe and JOzWR.dat, when key.exe is executed it will look in the same folder for the file JOzWR.dat, who is later decoded by key.exe and loaded in memory a 'lzma decoder' screenshot here in memory 1060×847 png 60,4 kB dumped JOzWR.dat is detected by 13 engines. ASCII "-txt -scanlocal -file:potato.dat" potato.dat is a file that will be later created in %TEMP% and who contain harvested serial numbers from your applications, including windows license key. exemple of what contain the file in my capev2: Computer: PC-PC - Main scan Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Extra info - Full product name: Windows 7 Ultimate Service Pack 1 Product ID match to CD Key data Product Part No.: REDACTED Installed from 'Full Packaged Product' media. Is OEM: No Windows 7 Ultimate - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - User - PC Computer: PC-PC - Deep scan The guy who want free serials get his serials harvested, isn't that a paradox? In conclusion: never open or visit crack sites if you don't have the knowledge to avoid infections, use common sense as some will even try to trick you with fake nfo/fake releases. Maybe buy your softwares (or crack them yourself) to avoid that, and don't trust crack sites at all, even if they was 'legitimate' like keygens.pro, they can go rogue anytime.
    5 points
  21. For those interested, I have installed a new dark theme and deleted the others. Scroll to the bottom of the page to find the option to change themes... Ted.
    5 points
  22. Happy New Year 2021 For All members
    5 points
  23. Happy New Year and welcome to 2021! I hope we have a better year than 2020 and we get back to some normality... Ted.
    5 points
  24. 5 points
  25. Fully unpacked V3: So I noticed that the dll and the executable are both protected with .NET Reactor. The dll has 5 virtualized methods. The purpose of that is probably to prevent people from cracking the unpackme. Since this is not a crackme, I have decided to fully unpack cuz I have a lot of free time to do it. I just dragged the files to my deobfuscator so I'll just explain the steps of what my deobfuscator did to deobfuscate the contents of the unpackme. 1. Get rid of the code flow obfuscation. You can use Hussaryn/NET-Reactor-Cflow-Cleaner-6.7.0.0 since this one is updated. I haven't tested this one though so I am not sure. 2. Detect necrobit and read encrypted method bodies in resources. The method bodies are stored in resources and the decryption routine has a part in the code that has a random generated mutation. The trick to that is using a CIL emulator. I use DNEmulator, but the repository is gone. I think De4dot emulator is good enough for this one. 3. Do step 1 again since it might have control flow obfuscation applied to some methods. You could also read this blog and use reflection to get the decrypted method bodies. It is explained where .NET Reactor stores its decrypted method bodies. But I am not a fan of using reflection, so I don't want that. I guess this should work on most unpackmes but not all since it is lacking something. 4. Detect obfuscated ldtokens. The obfuscated token is not really obfuscated. It is just stored as an integer and some function resolves the token and returns the runtimetypehandle of that. 5. Detect and devirtualize virtualized functions. I learned a lot from @TobitoFatito's explanation. The Instruction Set Architecture of .NET Reactor VM is almost the same as .NET CIL. So it should be easy to understand the VM if you already understand .NET CIL. 6. Do step 1 again since it might have control flow obfuscation applied to some devirtualized methods. 7. Detect and decrypt string encryption. The decryption routine is similar to necrobit decryption routine and the encrypted string data is stored in resources. Once the resources data is decrypted, you can find the calls that's using the decryption method and get the string data by acquiring the first argument and using that to go to the offset of the decrypted data and read the first 4 bytes and convert it to int32 to get the string length. Then read string data after the string length data. 8. Detect and decrypt resource encryption. The resources has more than 1 decryption mode and it is also compressed. I think the method that de4dot uses for this one still works. Code: ResourceResolver.cs 9. Use de4dot to clean the rest and fix names. Files: WindowsFormsApplication41-Deobfuscated-cleaned.exe WindowsFormsApplication41yippi-Deobfuscated-cleaned.dll
    4 points
  26. auto unpacker (really just a dumper that uses unicorn-engine and automates the process, this has been done a thousand times) for usermode vmp2 bins as of this commit: https://githacks.org/vmp2/vmemu/-/commit/3c08edac2c4c452f0c50080eb0d801331f7ce4f6 The unpacker does not recover the original entry point, its simply just a way for me to statically decrypt/unpack all sections in a standardized way so that you can run VMEmu upon the module. I fix sections (set raw ptr/size equal to virtual rva/virtual size) and append relocation blocks and relocation entries for relocations not declared in the relocation directory. A "dump" is pretty subjective term so the need for this auto unpacker/dumper was clear. I also recoded VMEmu entirely (https://githacks.org/vmp2/vmemu/-/blob/3c08edac2c4c452f0c50080eb0d801331f7ce4f6/src/vmemu_t.cpp) as the older code was very incorrect. Such things as the virtual JMP instruction can change virtual machine handler tables if the binary has more than a single virtual machine. This caused crashing. This is fixed now. Here is an example of what im talking about though: ======================== [JMP #12] ======================== > 0x00007FF70775ECA5 mov esi, [rbp] > 0x00007FF70775ECAE add rbp, 0x08 > 0x00007FF7077659EF lea r12, [0x00007FF7077AB900] <-- vm handler table > 0x00007FF7077659F9 mov rax, 0x100000000 > 0x00007FF707765A08 add rsi, rax > 0x00007FF707765A0F mov rbx, rsi > 0x00007FF707765A1B add rsi, [rbp] ======================== [JMP #26] ======================== > 0x00007FF70774EF41 mov esi, [rbp] > 0x00007FF70775CE38 add rbp, 0x08 > 0x00007FF707737355 lea r12, [0x00007FF707740E7D] <-- vm handler table > 0x00007FF70773735E mov rax, 0x100000000 > 0x00007FF70773736D add rsi, rax > 0x00007FF707737376 mov rbx, rsi > 0x00007FF70773737F add rsi, [rbp] Im now preparing to lift to llvm-ir and I have removed VTIL as I dont see a clear path forward using VTIL to get back to native x86_64. I am making steps to do entire module devirtualization and not just a single virtual routine. Ive written the code/algos to locate all virtual machine handler tables and all vm enters. You can find them here: https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmlocate.cpp#L5 https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmlocate.cpp#L130 I have added a new flag "--locateconst" which will first locate every single vm enter and then run vmemu upon it to statically decrypt all virtual instructions. It will then loop over the virtual instruction code blocks for each virtual instruction and try and find any virtual instructions with an operand that matches the constant value you specified. This is really useful for locating math primes/relative virtual addresses and such... great for attacking. Lastly, I rewrote the deadstore removal algo so that it produces much cleaner output. This algo will only work on vm arch related code such as vm handlers/vm_entry/calc_jmp as these are all linear and dont have any real JCC's. https://githacks.org/vmp2/vmprofiler/-/blob/99f1f695ed0e10c278076b037edd399965563140/src/vmutils.cpp#L161
    4 points
  27. For this one I used the same unpacker I used in this thread: without any modifications, then I cleaned it in de4dot, manually removed all the vm classes and then I renamed some stuff to make it look cleaner.I attached unpacked assembly. For more information you can go to my fisrt reply on the thread I mentioned above. crk2-unpacked-cleaned-fixed.exe
    4 points
  28. I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing. Forgot to mention, might be important the method that runs the vm code looks like this: private void \u0008\u2000(bool \u0002) { uint u0005_u = this.\u0005\u2001; for (;;) { try { while (!this.\u000E) { if (this.\u0008\u2003 != null) { this.\u0003\u2001 = this.\u0008\u2003.Value; this.\u0002((long)((ulong)this.\u0003\u2001)); this.\u0008\u2003 = null; } else if (this.\u0003\u2001 >= u0005_u) { break; } this.\u0006(); } } catch (object u) { this.\u0002(u, 0U); if (\u0002) { continue; } this.\u0008\u2000(true); } break; } } the part that executed the vm op code is this.\u0006(); and it looks like this private void \u0006() { this.\u0002\u2002 = this.\u0003\u2001; int key = this.\u000E\u2003.\u0006(); this.\u0003\u2001 += 4U; \u0008\u2008.\u0002\u2000 u0002_u; global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002)); } This like generated vm opcode id int key = this.\u000E\u2003.\u0006(); And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it Data.xml
    4 points
  29. Methodology - Since It is a CrackMe I won't bother myself to generate/find a Valid Serial by understanding the Algo. So I simply gonna patch it to accept any Key or show Valid Message from any of that. Thanks to RCE Community Members from all those diff Forums who shared their Knowledge with Public. Valid Key - Steps - Image - Method 2 - Since it is a Crack Me so these method makes sense but in Real World App, these are not so useful. We must need to Devirt the App to fully Read the Code. So You can follow my 1st Comment regarding Complete Unpacking of Your Code.
    4 points
  30. In your assembly there is a field Interpreter.zC which contains virtualized version of il code.This is a field of type Dictionary<int,byte[]> and the int in there is an md token of the method so I knew which body corresponds to which method. Then I copy some code from your assembly to my devirtualizer. So then I convert body from byte[] to o(class name) then we have property L2 which contains a list of instructions.Instruction is of type x(also class name).One of the properties of x is p4 which indicates what op command that x is.With that info I can easily convert o to a list of cil instructions and in field xV there is additional info about the instruction if neccessery so if the instruction is ldstr filed xV will contain the string... ,then reconstruct the bodies, remove vm code and fix issues and that's it. There is unpacked assembly below. UnPackMe-ILV -Unpacked-Cleaned.exe
    4 points
  31. @LCF-AT as I know how much you enjoy change, this one is for you... Ted.
    4 points
  32. Very simple example, just to show the idea.. static void Main(string[] args) { using (var module = ModuleDefMD.Load(args[0])) { foreach (var type in module.GetTypes()) { foreach (FieldDef field in type.Fields) { // this will change all string constant values to "kao". Make sure to fix the `if`!!! if (field.HasConstant && field.ElementType == ElementType.String) { field.Constant.Value = "kao"; } } } module.Write(args[1]); } }
    4 points
  33. There's the WinDivert library which allows you do all of this. WinDivert is in C but there are bindings for bindings for Python & C#. You can check the source code of Clumsy which uses utilizes WinDivert to selectively modify the packets. It's in C. There's also the now discontinued flare-fakenet-ng which uses the Python bindings - pydivert. https://reqrypt.org/windivert.html http://jagt.github.io/clumsy/ https://github.com/fireeye/flare-fakenet-ng
    4 points
  34. finally my new effect has arrived and it's called "Crazy Word 0.1" by x0man , although it's ripped (with a little bit of help from KesMezar) to get the gradient color squares on the aboutbox bg , you must cut from a template using Mspaint (or perhaps just use some colored/gradiented image) , save it as JPG , and then you should insert 0Ah on these codes : mov var_4,0 push 0CC0020h; color for solid background i think .. push 0Ah ;0C8h picture height (200) push 0Ah ;190h picture width (400) push 0 and then you should insert the jpg file into resources and load the jpg from resource . however, i wrote some comments on the CrazyWord.asm file to see more about the effect. notice that in the rc file , where you've already loaded the jpg , you may need to disable visual mode and then change the "RCDATA" to "IMAGE" , otherwise the background will go black and then the words will be painted all over. and this should be the background for the aboutbox : 1453 IMAGE DISCARDABLE "poopsie.jpg" 2 variants of sizes for the aboutbox: - 320x200 (like this one) = 140h x 0C8h - 400x200 = 190h x 0C8h by the way the keygen algo is removed as usual. v2m by Soft Maniac. KeygenTemp20.zip
    4 points
  35. 4 points
  36. That is it. Or c:\:$i30:$bitmap inside of a shortcut file would do the job. This will cause immediate corruption in Win10 builds 1803 or later. It will cause prompts to reboot to repair the disk and then chkdsk on boot will be unable to repair. This sounds quite dangerous as it makes downloading zip or rar archives and extracting them potentially harmful if they contain such a shortcut .lnk in them. https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
    4 points
  37. I will release an update for the tool which allows the skipping of metadata writing errors!
    4 points
  38. I also have to say that i'm impressed by the result. Excellent indeed. Since there is knowledge and maybe tools, sharing the method or the tools (as @SychicBoy did for his control flow deobfuscator) would be great for the community. Personally, in solving the challenge, when dealing with this kind of obfuscators, I hook UnsafeInvokeInternal and get the result, This indeed works. In this case the challenge are simple so reversing the logic is also. However to properly reconstruct the assembly a different approach is obviously needed. About the Necrobit protection, what maybe is already known, and I found out: In the Module constructor, a hashtable is built after the resource containing the real MSIL body has been decrypted. Then each index in the hashtable is passed to another method that natively writes the real MSIL opcodes in memory. What I tried is using Reflection to dump the hashtable after has been populated. I get an offset (relative to method body offset) and the MSIL bytecode. However I am stuck in reversing the process, that is parsing the bytecode, get ILCode back and write it successfully to the assembly.
    4 points
  39. awesome.vmp35_cracked.exe Every other portion of VMP is removed including CRC etc check. But still it will not run until we fix Delegates. It is still left
    4 points
  40. This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread);
    4 points
  41. awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
    4 points
  42. Indeed. Started late this year but managed to get all 10 done. Challenge 5 is literally the worst in my opinion. So much for guessing and making sense of all the weird recipes. 😂
    3 points
  43. fixed src using @sama files and added also project file for winASM. + aboutbox spinning dna strand project alone because it's lovely. SND.Reverser.Tool.1.5b1.SRC.fixed.zip Spinning DNA strand.zip
    3 points
  44. AU - gov asks to introduce detection capabilities in encrypted communication www.zdnet.com/article/canberra-asks-big-tech-to-introduce-detection-capabilities-in-encrypted-communication/ elastic license check in elasticsearch client library github.com/spring-projects/spring-data-elasticsearch/issues/1880 github.com/elastic/elasticsearch-py/pull/1623 One Bad Apple www.hackerfactor.com/blog/index.php?/archives/929-One-Bad-Apple.html 30 years on from introducing the Web to the World www.w3.org/blog/2021/08/30-years-on-from-introducing-the-web-to-the-world/ 0 AD - free strategic game play0ad.com/new-release-0-a-d-alpha-25-yauna/ The Very First Two Hours Of MTV www.youtube.com/watch?v=PJtiPRDIqtI Tesseract.js – A Javascript port of the Tesseract OCR engine tesseract.projectnaptha.com/ What it was like developing for NES back in 1990 (hellooo) twitter.com/KevEdwardsRetro/status/1423653418439254026 Scientists make discovery of dead zones where nothing can live on two US coasts thehill.com/changing-america/sustainability/climate-change/566674-scientists-make-shocking-discovery-of-dead there you go man - NASA is looking for people who want to spend a year simulating a mission on Mars www.theblaze.com/news/nasa-is-looking-for-people-who-want-to-spend-a-year-simulating-a-mission-on-mars This Captcha Patent Is An All-American Nightmare www.eff.org/deeplinks/2021/08/captcha-patent-all-american-nightmare Everything has changed in iOS 14, but Jailbreak is eternal i.blackhat.com/USA21/Wednesday-Handouts/us-21-Everything-Has-Changed-In-IOS-14-But-Jailbreak-Is-Eternal.pdf
    3 points
  45. https://ibb.co/SV4V0QR few days later hahaha insane..
    3 points
  46. Installing SEH handler or calling IsBadReadPtr are trying to deal with the symptoms (crash), not the cause of ther problem (bad pointer to buffer, bad data in buffer or whatever). Don't just hide the problem - find the real cause of the problem instead.
    3 points
  47. include bcrypt.inc includelib bcrypt.lib GenRandom PROTO GenRandom PROC LOCAL dwRandom:DWORD mov dwRandom, 0 Invoke BCryptGenRandom, NULL, Addr dwRandom, 4, BCRYPT_USE_SYSTEM_PREFERRED_RNG ;0x00000002 mov eax, dwRandom ret GenRandom ENDP
    3 points
  48. Those guys must be politicians, the way they justified their dictatorship in removing, it is funny I'm happy it's back, kinda gives a tiny hope that people can still make a change.
    3 points
  49. 3 points
×
×
  • Create New...